dyn. SNAT based on different source addresses?

Meike Stone <meike.stone@xxxxxxxxxxxxxx> · Tue, 7 Oct 2014 20:27:49 +0200

Hello,

we have a lot windows terminal server (TS) and want to access from
that TS to a file server behind a firewall, only NAT is possible. The
problem is that the smb protocol is not NAT compatible:
(msdn.microsoft.com/en-us/library/ee441661.aspx)

Simplified NAT (SNAT/DNAT) scenario I used is:

[192.168.1.0/24] - > Network wit TS
[192.168.2.0/24] - > Network, where the file server is located

192.168.2.142 => Fileserver
192.168.1.20   => "DNAT-IP" für Fileserver

All packages from the TSs in 192.168.1.0/24 will be translated in the src IP
192.168.2.222 (SNAT). TSs are connecting to 192.168.1.20 (DNAT) to
open a smb-session.

iptables -t nat -A POSTROUTING -o eth0 --dst 192.168.2.142 -j SNAT
--to-source 192.168.2.222
iptables -t nat -A PREROUTING -i eth1 --dst 192.168.1.20 -p tcp
--dport 139 -j DNAT --to-destination 192.168.2.142
iptables -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -d 192.168.2.142
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.2.142 -d 192.168.1.0/24
-m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A OUTPUT -o eth1 --dst 192.168.1.20 -j ACCEPT

That works fine, but with the described problem, connections are lost
because of imperfection in the smb protocol.

I'm looking for a solution, that each new connection  (to
192.168.1.20) from a different terminal server gets a new (SNAT)
address from a configured dynmaic pool in 192.168.2.0.

Using NETMAP, is a possible solution, following example works for me,
but is it not dynamic, all IP addresses are mapped 1:1

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j NETMAP --to 192.168.2.0/24
iptables -t nat -A PREROUTING -i eth1 --dst 192.168.1.20 -p tcp
--dport 139 -j DNAT --to-destination 192.168.2.142
iptables -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -d 192.168.2.142
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.2.142 -d 192.168.1.0/24
-m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A OUTPUT -o eth1 --dst 192.168.1.20 -j ACCEPT

If terminal servers are not located in 192.168.1.0 but in different
networks connected via router,
I have a problem ....

Does anyone have a clue?

Thanks Meike
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html